NSider • Posted on Oct 2, 2023
Protecting Customer PHI and PII
Data privacy and security are among our highest priorities, and NASCO has extensive measures in place to protect the information our customers have entrusted to us. As a NASCO associate or contingent worker, it is important to know the differences between PHI and PII and the compliance requirements for handling both in all roles. Understanding the differences between PII and PHI is essential to helping maintain data security, managing HIPAA compliance as well as saving NASCO money, time, and resources by keeping customer data safe.
Personally identifiable information or PII is a catch-all term for any information that can be traced to an individual’s identity, like Social Security numbers, passport numbers, driver’s license numbers, addresses, email addresses, photos, biometric data, or any other information that can be traced to one individual. Medical, educational, financial, and employment information all fall under PII.
“The HIPAA Privacy Rule provides federal protections for personal health information held by covered entities and gives patients an array of rights with respect to that information,” the HHS website states.
To help organizations like NASCO manage and protect PII appropriately, the “PII confidentiality impact level” standard was created, which categorizes PII into low, moderate, or high-risk levels. The levels are determined by evaluating the potential harm that could be inflicted on individuals and the organization if the PII were to end up in the wrong hands.
For example, Social Security numbers are more sensitive than phone numbers, so they can be categorized at a high confidentiality impact level. Additionally, a security event involving the information of 20 people will likely be less impactful than one involving 200,000 people, which may change how organizations label and manage risk.
Personal health information or PHI is a subset of PII, but it specifically refers to health information shared with HIPAA covered entities. Medical records, lab reports, and hospital bills are PHI, along with any information relating to an individual’s past, present, or future physical or mental health.
When data security events occur, businesses are required to report the incident with notification laws varying by state.
Protecting NASCO
You can help NASCO maintain a secure environment for our customers’ data by:
• Participating in annual Compliance Training Requirements
• Carefully reviewing and understanding the Health Information Privacy Policy as part of
annual Policy and Standard Acknowledgements
• Ensuring your screen is properly locked and your laptop is secured when working at
home and offsite
• Reporting privacy concerns or if you think protected health information has been
compromised, by clicking here, and follow on-screen instructions and sending an email
to privacy@nasco.com
For more information on what to do if customer PHI or PII is accessed or used inappropriately, visit NASCO’s Privacy & Security Incident Reporting - Home (nasco.com)
Source: Healthsecurity.com